---
title: istio.v1.auth
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 3
---
<h2 id="Services">Services</h2>
<h3 id="IstioCertificateService">IstioCertificateService</h3>
<section>
<p>Service for managing certificates issued by the CA.</p>

<pre id="IstioCertificateService-CreateCertificate"><code class="language-proto">rpc CreateCertificate(IstioCertificateRequest) returns (IstioCertificateResponse)
</code></pre>
<p>Using provided CSR, returns a signed certificate.</p>

</section>
<h2 id="Types">Types</h2>
<h3 id="IstioCertificateRequest">IstioCertificateRequest</h3>
<section>
<p>Certificate request message. The authentication should be based on:</p>
<ol>
<li>Bearer tokens carried in the side channel;</li>
<li>Client-side certificate via Mutual TLS handshake.
Note: the service implementation is REQUIRED to verify the authenticated caller is authorize to
all SANs in the CSR. The server side may overwrite any requested certificate field based on its
policies.</li>
</ol>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioCertificateRequest-csr">
<td><code>csr</code></td>
<td><code>string</code></td>
<td>
<p>PEM-encoded certificate request.
The public key in the CSR is used to generate the certificate,
and other fields in the generated certificate may be overwritten by the CA.</p>

</td>
<td>
No
</td>
</tr>
<tr id="IstioCertificateRequest-validity_duration">
<td><code>validityDuration</code></td>
<td><code>int64</code></td>
<td>
<p>Optional: requested certificate validity period, in seconds.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="IstioCertificateResponse">IstioCertificateResponse</h3>
<section>
<p>Certificate response message.</p>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioCertificateResponse-cert_chain">
<td><code>certChain</code></td>
<td><code>string[]</code></td>
<td>
<p>PEM-encoded certificate chain.
The leaf cert is the first element, and the root cert is the last element.</p>

</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
